Yuppa, Robert Rottscholl wrote: [...]
<?PHP $prog = 'cat /proc/uptime'; while ($i<count($prog)) { . . . } ?>
My question is: Is it safe to execute a external program when enetering a site? Or is it generally a security risk? Which severity would you give (1 - low, 10 - highest)?
Ciao ;-)
Robert Rottscholl - DE
It's very risky to use external tools in PHP (and other) scripts if you
don't check the variables or if user input gets processed. I'd give it a
solid "8" on your scale...
For ex., if someone would somehow inject "mail and more (look into the php manual, chapter
XIV., Program Execution functions, for more info).
What's more, unchecked and insecure opening, using and closing of file
descriptors (e.g. for creating ascii output) may cause race conditions,
which would enable attackers to redirect the input or output stream,
thus overwriting critical data (shadow, anyone?) or "hijacking" the
stream (not too trivial, tho).
I have seen quite some php3/4 online shops who heavily rely on the
<hidden> html tag to store session IDs for non cookie-based sites in
order to hand the ID over to the next page and/or database. A simple
"http://<url of webshop>?sessionid=foobar" often is enough to inject
"foobar" instead of a real session-id in the variable, which may cause
serious problems (just think of badly programmed online payment
systems).
Even some existing password schemes programmed in php3/4 are affected by
this. Matt's script archive contains some of them... that's why it's a
VERY bad idea to download and use public scripts without at least a
basic security analysis.
Btw., take a look at the chapter "Security" in the php manual, too.
Boris Lorenz